We are glad to announce the availability of patch releases for VisualSVN products based on the Apache Subversion 1.9.5. Besides important client side and server side improvements, the Subversion 1.9.5 patch release addresses CVE-2016-8734 DoS vulnerability.
Up-to-date VisualSVN Server installations are not affected by CVE-2016-8734 vulnerability. VisualSVN Server does not contain the mod_dontdothat module that has been found vulnerable. However, the Apache Subversion command-line client tools packaged with the VisualSVN Server ('svn.exe', 'svnsync.exe', 'svnrdump.exe') are vulnerable. Exploiting the client-side vulnerability requires the client to connect to a compromised server, so the actual risks are relatively low. Nevertheless, we highly recommend to update to the newest VisualSVN Server builds.
Up-to-date VisualSVN 5.1.x (plug-in for Visual Studio) builds are potentially affected by CVE-2016-8734 vulnerability. Exploiting this vulnerability requires the client tools to connect to a compromised server, so the actual risks are relatively low. Nevertheless, we recommend to update to the newest VisualSVN 5.1.5 build.
Update for VisualSVN Server
Users of VisualSVN Server should update to VisualSVN Server 3.5.7.
It is also recommended to upgrade to version 3.5.7 if you are using an earlier version family of VisualSVN Server. Please read VisualSVN Server 3.5 Release Notes to find out what's new in the latest release. For detailed upgrade instructions please consider the KB95: Upgrading to VisualSVN Server 3.5 knowledge base article.
Choose the appropriate patch build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.4.8 if you have version 3.4.x installed.
- VisualSVN Server 3.3.8 if you have version 3.3.x installed.
VisualSVN Server 3.3.x and 3.4.x version families will reach End of Support on 31st December 2016. After this date, no updates will be released for these version families. Users that are running VisualSVN Server 3.4.x or earlier should plan an upgrade to the latest VisualSVN Server 3.5.x builds. For further details, please read the corresponding End of Support announcement.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 3.5.7 if you are using a 3.4.x or any of the older versions.
Update for VisualSVN (a plug-in for Visual Studio)
You can download the latest VisualSVN 5.1.5 build based on Apache Subversion 1.9.5 at the official download page.
Please note that you may be required to purchase an upgrade to VisualSVN 5.1.x in case you are using VisualSVN 4.0.x or older versions. The upgrade is free if you are using VisualSVN under the Community License. However, commercial licenses issued before June 3rd, 2014 have to be upgraded. For further details please check the VisualSVN plug-in Licensing page.